If you’re still using WinRAR, watch out for this dangerous exploit - and please stop

A fake PoC for a WinRAR exploit is making rounds

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Scammers have been found trying to distribute the VenomRATmalware, by disguising it as a proof-of-concept (PoC) for a newly discovered WinRAR vulnerability.

Cybersecurity researchers from Unit 42 (Palo Alto Networks) recently found a piece of code uploaded to GitHub, claiming to be a PoC for CVE-2023-40477. This is a flaw that allows threat actors to run arbitrary code on target endpoints if the victims run a custom-tailored RAR file in WinRAR older than version 6.23.

This vulnerability was discovered by Trend Micro’s Zero Day Initiative in early June 2023, and fixed in early August, with version 6.23 of the popular archiving program.

VenomRAT

However, soon after public disclosure of the flaw, a malicious actor uploaded a piece of code on GitHub, claiming it to be a PoC for the flaw. The upload even came with a readme file and a video demonstration on how to use the tool.

In reality, though, the code just downloads an encoded PowerShell script which, in turn, downloads the VenomRAT malware. This malware does a number of things, including logging all key presses and listing installed apps and active processes. The malware can be used to deploy other payloads, and steal credentials,BleepingComputerwarns, urging everyone who executed this fake PoC to change their passwords for all sites and environments they use.

Unit 42’s researchers also said that the threat actor’s infrastructure was in place long before the payload was deployed to GitHub, implying that they might try the same thing in the future, with a different vulnerability. The user account that uploaded the fake PoC is now inactive, it was added.

GitHub is an extremely popular code repository and as such, a major target for hackers. Most of the time, they try to trick developers into downloading malware through typosquatting and impersonation.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time